From f283e24b4806246cf7b115af699d21d7142be116 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 21 May 2019 13:53:12 +0200
Subject: [PATCH 1/3] Fix the noexe must be added for dangerous extension like
 js and shells

---
 htdocs/core/actions_linkedfiles.inc.php |  2 +-
 htdocs/core/lib/files.lib.php           |  2 +-
 htdocs/core/lib/functions.lib.php       | 17 +++++++++++++++++
 3 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/htdocs/core/actions_linkedfiles.inc.php b/htdocs/core/actions_linkedfiles.inc.php
index f23844e5d3d..25ef74127bf 100644
--- a/htdocs/core/actions_linkedfiles.inc.php
+++ b/htdocs/core/actions_linkedfiles.inc.php
@@ -194,7 +194,7 @@ elseif ($action == 'renamefile' && GETPOST('renamefilesave','alpha'))
 	        // Security:
 	        // Disallow file with some extensions. We rename them.
 	        // Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
-	        if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
+            if (isAFileWithExecutableContent($filenameto) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
 	        {
 	            $filenameto.= '.noexe';
 	        }
diff --git a/htdocs/core/lib/files.lib.php b/htdocs/core/lib/files.lib.php
index fae8353052f..63b13dd493d 100644
--- a/htdocs/core/lib/files.lib.php
+++ b/htdocs/core/lib/files.lib.php
@@ -1053,7 +1053,7 @@ function dol_move_uploaded_file($src_file, $dest_file, $allowoverwrite, $disable
 		// Security:
 		// Disallow file with some extensions. We rename them.
 		// Because if we put the documents directory into a directory inside web root (very bad), this allows to execute on demand arbitrary code.
-		if (preg_match('/\.htm|\.html|\.php|\.pl|\.cgi$/i',$dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
+		if (isAFileWithExecutableContent($dest_file) && empty($conf->global->MAIN_DOCUMENT_IS_OUTSIDE_WEBROOT_SO_NOEXE_NOT_REQUIRED))
 		{
 			$file_name.= '.noexe';
 		}
diff --git a/htdocs/core/lib/functions.lib.php b/htdocs/core/lib/functions.lib.php
index 570d00ef2bd..ad910ca6885 100644
--- a/htdocs/core/lib/functions.lib.php
+++ b/htdocs/core/lib/functions.lib.php
@@ -1,4 +1,6 @@
 <?php
+use PhpOffice\PhpSpreadsheet\NamedRange;
+
 /* Copyright (C) 2000-2007	Rodolphe Quiedeville			<rodolphe@quiedeville.org>
  * Copyright (C) 2003		Jean-Louis Bergamo			<jlb@j1b.org>
  * Copyright (C) 2004-2018	Laurent Destailleur			<eldy@users.sourceforge.net>
@@ -7925,3 +7927,18 @@ function roundUpToNextMultiple($n, $x=5)
 {
 	return (ceil($n)%$x === 0) ? ceil($n) : round(($n+$x/2)/$x)*$x;
 }
+
+/**
+ * Return if a file can contains executable content
+ *
+ * @param   string  $filename       File NamedRange
+ * @return  boolean                 True if yes, False if no
+ */
+function isAFileWithExecutableContent($filename)
+{
+    if (preg_match('/\.(htm|html|js|php|phtml|pl|py|cgi|ksh|sh|bash)$/i', $filename))
+    {
+        return true;
+    }
+    return false;
+}

From 479f8616e13c41bd15b020d7aa49bb61e48951b6 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 21 May 2019 14:03:28 +0200
Subject: [PATCH 2/3] Fix sanitize data

---
 htdocs/admin/external_rss.php | 22 +++++++++++-----------
 1 file changed, 11 insertions(+), 11 deletions(-)

diff --git a/htdocs/admin/external_rss.php b/htdocs/admin/external_rss.php
index 048d002a3b7..c4dd642dfee 100644
--- a/htdocs/admin/external_rss.php
+++ b/htdocs/admin/external_rss.php
@@ -66,8 +66,8 @@ else
 
 if ($action == 'add' || GETPOST("modify"))
 {
-    $external_rss_title = "external_rss_title_" . GETPOST("norss");
-    $external_rss_urlrss = "external_rss_urlrss_" . GETPOST("norss");
+    $external_rss_title = "external_rss_title_" . GETPOST("norss", 'int');
+    $external_rss_urlrss = "external_rss_urlrss_" . GETPOST("norss", 'int');
 
     if (! empty($_POST[$external_rss_urlrss]))
     {
@@ -95,7 +95,7 @@ if ($action == 'add' || GETPOST("modify"))
 		{
 			// Ajoute boite box_external_rss dans definition des boites
 	        $sql = "INSERT INTO ".MAIN_DB_PREFIX."boxes_def (file, note)";
-			$sql.= " VALUES ('box_external_rss.php','".$db->escape(GETPOST("norss").' ('.GETPOST($external_rss_title)).")')";
+			$sql.= " VALUES ('box_external_rss.php','".$db->escape(GETPOST("norss", 'int').' ('.GETPOST($external_rss_title, 'alpha')).")')";
 	        if (! $db->query($sql))
 	        {
 	        	dol_print_error($db);
@@ -103,8 +103,8 @@ if ($action == 'add' || GETPOST("modify"))
 	        }
 		}
 
-		$result1=dolibarr_set_const($db, "EXTERNAL_RSS_TITLE_" . GETPOST("norss"),GETPOST($external_rss_title),'chaine',0,'',$conf->entity);
-		if ($result1) $result2=dolibarr_set_const($db, "EXTERNAL_RSS_URLRSS_" . GETPOST("norss"),GETPOST($external_rss_urlrss),'chaine',0,'',$conf->entity);
+		$result1=dolibarr_set_const($db, "EXTERNAL_RSS_TITLE_" . GETPOST("norss", 'int'), GETPOST($external_rss_title, 'alpha'), 'chaine', 0, '', $conf->entity);
+		if ($result1) $result2=dolibarr_set_const($db, "EXTERNAL_RSS_URLRSS_" . GETPOST("norss", 'int'), GETPOST($external_rss_urlrss, 'alpha'), 'chaine', 0, '', $conf->entity);
 
         if ($result1 && $result2)
         {
@@ -122,13 +122,13 @@ if ($action == 'add' || GETPOST("modify"))
 
 if ($_POST["delete"])
 {
-    if(GETPOST("norss"))
+    if (GETPOST("norss", 'int'))
     {
         $db->begin();
 
 		// Supprime boite box_external_rss de definition des boites
         $sql = "SELECT rowid FROM ".MAIN_DB_PREFIX."boxes_def";
-        $sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".$db->escape(GETPOST("norss"))." %'";
+        $sql.= " WHERE file = 'box_external_rss.php' AND note LIKE '".$db->escape(GETPOST("norss", 'int'))." %'";
 
 		$resql=$db->query($sql);
 		if ($resql)
@@ -168,8 +168,8 @@ if ($_POST["delete"])
         }
 
 
-		$result1=dolibarr_del_const($db,"EXTERNAL_RSS_TITLE_" . GETPOST("norss"),$conf->entity);
-		if ($result1) $result2=dolibarr_del_const($db,"EXTERNAL_RSS_URLRSS_" . GETPOST("norss"),$conf->entity);
+		$result1=dolibarr_del_const($db,"EXTERNAL_RSS_TITLE_" . GETPOST("norss", 'int'), $conf->entity);
+		if ($result1) $result2=dolibarr_del_const($db,"EXTERNAL_RSS_URLRSS_" . GETPOST("norss", 'int'), $conf->entity);
 
         if ($result1 && $result2)
         {
@@ -270,13 +270,13 @@ if ($resql)
 
 		print '<tr class="oddeven">';
 		print "<td width=\"100px\">".$langs->trans("Title")."</td>";
-		print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_title_" . $idrss . "\" value=\"" . $conf->global->$keyrsstitle . "\"></td>";
+		print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_title_" . $idrss . "\" value=\"" . dol_escape_htmltag($conf->global->$keyrsstitle) . "\"></td>";
 		print "</tr>";
 
 
 		print '<tr class="oddeven">';
 		print "<td>".$langs->trans("URL")."</td>";
-		print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_urlrss_" . $idrss . "\" value=\"" . $conf->global->$keyrssurl . "\"></td>";
+		print "<td><input type=\"text\" class=\"flat minwidth300\" name=\"external_rss_urlrss_" . $idrss . "\" value=\"" . dol_escape_htmltag($conf->global->$keyrssurl) . "\"></td>";
 		print "</tr>";
 
 

From 61ead06950b7a6577da0159c89e860ebaae802a4 Mon Sep 17 00:00:00 2001
From: Laurent Destailleur <eldy@destailleur.fr>
Date: Tue, 21 May 2019 14:33:28 +0200
Subject: [PATCH 3/3] Fix Injection

---
 htdocs/admin/system/database-tables.php | 19 +++++++++++++++----
 htdocs/admin/tools/export_files.php     | 15 +++++++++------
 2 files changed, 24 insertions(+), 10 deletions(-)

diff --git a/htdocs/admin/system/database-tables.php b/htdocs/admin/system/database-tables.php
index addeb3793c6..2da8561d30c 100644
--- a/htdocs/admin/system/database-tables.php
+++ b/htdocs/admin/system/database-tables.php
@@ -36,7 +36,13 @@ $action=GETPOST('action','alpha');
 
 if ($action == 'convert')
 {
-	$db->query("alter table ".$_GET["table"]." ENGINE=INNODB");
+    $sql="ALTER TABLE ".$db->escape(GETPOST("table", "aZ09"))." ENGINE=INNODB";
+	$db->query($sql);
+}
+if ($action == 'convertutf8')
+{
+    $sql="ALTER TABLE ".$db->escape(GETPOST("table", "aZ09"))." CHARACTER SET utf8 COLLATE utf8_unicode_ci";
+    $db->query($sql);
 }
 
 
@@ -111,9 +117,9 @@ else
 
 				print '<td><a href="dbtable.php?table='.$obj->Name.'">'.$obj->Name.'</a></td>';
 				print '<td>'.$obj->Engine.'</td>';
-				if (isset($row[1]) && $row[1] == "MyISAM")
+				if (isset($obj->Engine) && $obj->Engine == "MyISAM")
 				{
-					print '<td><a href="database-tables.php?action=convert&amp;table='.$row[0].'">'.$langs->trans("Convert").'</a></td>';
+				    print '<td><a class="reposition" href="database-tables.php?action=convert&amp;table='.$obj->Name.'">'.$langs->trans("Convert").' InnoDB</a></td>';
 				}
 				else
 				{
@@ -127,7 +133,12 @@ else
 				print '<td align="right">'.$obj->Index_length.'</td>';
 				print '<td align="right">'.$obj->Auto_increment.'</td>';
 				print '<td align="right">'.$obj->Check_time.'</td>';
-				print '<td align="right">'.$obj->Collation.'</td>';
+				print '<td align="right">'.$obj->Collation;
+				if (isset($obj->Collation) && ($obj->Collation == "utf8mb4_general_ci" || $obj->Collation == "utf8mb4_unicode_ci"))
+				{
+				    print '<br><a class="reposition" href="database-tables.php?action=convertutf8&amp;table='.$obj->Name.'">'.$langs->trans("Convert").' UTF8</a>';
+				}
+				print '</td>';
 				print '</tr>';
 				$i++;
 			}
diff --git a/htdocs/admin/tools/export_files.php b/htdocs/admin/tools/export_files.php
index 809cea3b271..4a19fd0e9a6 100644
--- a/htdocs/admin/tools/export_files.php
+++ b/htdocs/admin/tools/export_files.php
@@ -36,6 +36,8 @@ $export_type=GETPOST('export_type','alpha');
 $file=GETPOST('zipfilename_template','alpha');
 $compression = GETPOST('compression');
 
+$file = dol_sanitizeFileName($file);
+
 $sortfield = GETPOST('sortfield','alpha');
 $sortorder = GETPOST('sortorder','alpha');
 $page = GETPOST("page",'int');
@@ -57,10 +59,11 @@ $errormsg='';
 
 if ($action == 'delete')
 {
-	$file=$conf->admin->dir_output.'/'.GETPOST('urlfile');
-	$ret=dol_delete_file($file, 1);
-	if ($ret) setEventMessages($langs->trans("FileWasRemoved", GETPOST('urlfile')), null, 'mesgs');
-	else setEventMessages($langs->trans("ErrorFailToDeleteFile", GETPOST('urlfile')), null, 'errors');
+    $filerelative = dol_sanitizeFileName(GETPOST('urlfile', 'alpha'));
+    $filepath=$conf->admin->dir_output.'/'.$filerelative;
+	$ret=dol_delete_file($filepath, 1);
+	if ($ret) setEventMessages($langs->trans("FileWasRemoved", $filerelative), null, 'mesgs');
+	else setEventMessages($langs->trans("ErrorFailToDeleteFile", $filerelative), null, 'errors');
 	$action='';
 }
 
@@ -122,7 +125,7 @@ elseif (in_array($compression, array('gz', 'bz')))
     $cmd = 'tar -cf '.$outputdir."/".$file." --exclude=documents/admin/documents -C ".DOL_DATA_ROOT." ".DOL_DATA_ROOT."/../documents/";
     exec($cmd, $out, $retval);
     //var_dump($cmd, DOL_DATA_ROOT);exit;
-    
+
     if ($retval != 0)
     {
         $langs->load("errors");
@@ -139,7 +142,7 @@ elseif (in_array($compression, array('gz', 'bz')))
         {
             $cmd = "bzip2 " . $outputdir."/".$file;
         }
-        
+
         exec($cmd, $out, $retval);
         if ($retval != 0)
         {